MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4940200e009c811c47fe102fe47b20f32cf6b1abf309759b24b6a4f79a26b708. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4940200e009c811c47fe102fe47b20f32cf6b1abf309759b24b6a4f79a26b708
SHA3-384 hash: 8a178a2d59d6a88c0181222bd233e494f9fe499dd01ecf4b9320b85df173f597bde80d40b44fb38061349d0044de4a40
SHA1 hash: a221f48f0c1abad0bcc91c7b92e8752afeb17e18
MD5 hash: 0bce8a5e688c5b01944888fa78475f18
humanhash: chicken-skylark-steak-seven
File name:yyyy.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:33'280 bytes
First seen:2021-08-06 13:04:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:uwf0dvEI3I2BmmDKNgjSTbd8cSw4RrpU205YFYCknoV:u5dsIVVDKNuSt8nJN8MYbc
Threatray 108 similar samples on MalwareBazaar
TLSH T1A3E2E019937ACCF3F2320F381E2453E552B6EA2A5DB5673F06D06A270DB06159E90A37
Reporter James_inthe_box
Tags:CoinMiner.XMRig exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5.exe
Verdict:
No threats detected
Analysis date:
2021-08-03 10:27:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b4ffaf5c-aa57-48c6-b3bf-5ecb13413d98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177004/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Creating a file
Connecting to a cryptocurrency mining pool
Creating a service
Launching a service
Loading a system driver
Sending a UDP request
Enabling autorun for a service
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a14d02a-df32-481b-bee0-1f7a81b06e5b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828293
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460724 Sample: yyyy.exe Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for submitted file 2->42 44 .NET source code contains potential unpacker 2->44 46 Machine Learning detection for sample 2->46 48 3 other signatures 2->48 7 yyyy.exe 14 5 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 9 1 2->14         started        16 10 other processes 2->16 process3 dnsIp4 36 sanctam.net 185.65.135.248, 49714, 58899 ESAB-ASSE Sweden 7->36 38 bitbucket.org 104.192.141.1, 443, 49716 AMAZON-02US United States 7->38 26 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 7->26 dropped 28 C:\Users\user\AppData\Local\...\yyyy.exe.log, ASCII 7->28 dropped 56 Injects code into the Windows Explorer (explorer.exe) 7->56 58 Writes to foreign memory regions 7->58 60 Allocates memory in foreign processes 7->60 64 3 other signatures 7->64 18 explorer.exe 7->18         started        62 Changes security center settings (notifications, updates, antivirus, firewall) 12->62 22 MpCmdRun.exe 1 12->22         started        40 127.0.0.1 unknown unknown 14->40 file5 signatures6 process7 dnsIp8 30 91.121.140.167, 3333, 49723 OVHFR France 18->30 32 pastebin.com 104.23.98.190, 443, 49722 CLOUDFLARENETUS United States 18->32 34 2 other IPs or domains 18->34 50 System process connects to network (likely due to code injection or exploit) 18->50 52 Query firmware table information (likely to detect VMs) 18->52 24 conhost.exe 22->24         started        signatures9 54 Detected Stratum mining protocol 30->54 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4940200e009c811c47fe102fe47b20f32cf6b1abf309759b24b6a4f79a26b708/
Threat name:
ByteCode-MSIL.Trojan.Cryptos
Create hunting rule
Status:
Malicious
First seen:
2021-07-25 19:01:00 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfacadqatsaryr76cax6i6za6mwpnmnl6mexlgzew2sppgrgw4ea._file
Verdict:
malicious
Similar samples:
08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1
CoinMiner.XMRig
3cee28ef52c59c99b841c6927f5085e483523cb8b606ff9ce5d60b3c13574545
CoinMiner.XMRig
479579cc0f9ecdbcdb6d8df674940a411a0fdaa9ab66fc87db6a24658f979204
CoinMiner.XMRig
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
CoinMiner.XMRig
a651672f98fba458ca8b6861557119c81d12afcb705c457d65dd2b44dcc499fe
CoinMiner.XMRig
c0b57dd5b03e87a86866c7785e7e5356387c4d3b012b97ae57c6c27e664834c6
CoinMiner.XMRig
c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
CoinMiner.XMRig
f54decb2e130b98a9bfe13d57fe46af74d408720f490a1df519417125d2c206c
CoinMiner.XMRig
f719282ac5833fe573f4ac8221fb4214828855f4f05bc11ffbc73f6c019125a9
CoinMiner.XMRig
+ 98 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210806-l9rmrrwx8n/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
4940200e009c811c47fe102fe47b20f32cf6b1abf309759b24b6a4f79a26b708
MD5 hash:
0bce8a5e688c5b01944888fa78475f18
SHA1 hash:
a221f48f0c1abad0bcc91c7b92e8752afeb17e18
Link:
https://www.unpac.me/results/3b0d908f-8f27-4f2f-b842-d0b799850dce/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4940200e009c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4940200e009c811c47fe102fe47b20f32cf6b1abf309759b24b6a4f79a26b708

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Create hunting rule
Author:Florian Roth
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/177004/

Comments